Security Strategy, Plan, Budget

This Common Strategy is Killing Your Cybersecurity Revenue

Credit: Getty Images

For many of you reading this, it’s Q4 and you might be looking at your year-to-date sales and scratching your head about the low customer adoption of your cybersecurity services. Cybersecurity is a hot commodity, right? Every business needs it, right? So why aren’t your sales numbers rocketing right off your spreadsheet?

In talking to managed service providers (MSPs) on a regular basis about go-to-market strategies, marketing and sales enablement, I noticed something that is all too common that is stifling sales and as a result perpetuating the risk exposure of SMBs.

Right Product Wrong Package

You may have built a world-class cybersecurity solution – hired the right staff, chose the right tech, picked the right partners — but the way you present it to your customers is everything.

The problem I see is MSPs have organized their offering into the typical good-better-best packaging model we’re all super familiar with in the SaaS market. There are two big problems with that.

Problem #1 — Nobody Likes Buying Cybersecurity

Cybersecurity is not something any business is excited to spend more money on. When was the last time you bought the BEST life insurance policy? What about the BEST car insurance you could find? You need them, but are you looking for the BEST, or the best-fit for your risk tolerance level? Unless you’re a wealthy hypochondriac or a terrible driver with a Ferrari, I’m going to guess you weren’t drawn to the BEST plans. And come to think of it, are insurance plans ever packaged in a Good-Better-Best way? No. And for good reason. So, step 1 — take a page from their playbook.

Problem #2 — Cybersecurity is Not Simply a Product

The good-better-best model works for a single-purpose SaaS product. But cybersecurity is much more complex — it’s a combination of multiple products, various levels of service, and a sliding scale of asset coverage. When you borrow this tiered packaging model from the SaaS market, you’re forcing your buyer into making a very difficult choice with very few options. Not only does your buyer not like buying cybersecurity, but they also don’t fully understand the ramifications of their choices. So, they’re going to do what humans do… hedge their bets.

When you had to purchase something that frankly was over your head, what did you choose? The most expensive premium option? The dirt-cheap option? Nope. You probably hedged your bets and went with the middle or, if you’re a cheapskate like me, the one slightly-below-middle-but-not-the-cheapest.

Remember that for most SMBs, telling them all of the cybersecurity services they need is like you being told you need an Automatic Pulsation Vacuum Double Cow Milker with Food-grade Silicone Cups and Tube and Stainless Steel Bucket (apparently it’s a thing!), but you have to choose whether you want to pay a little or a lot for it.

Cybersecurity and Home Security

So, in addition to looking at the insurance industry for a hint that borrowing the SaaS Good-Better-Best model might not be appropriate, you don’t have to look far to consider a better approach to cybersecurity packaging. Consider home security services. Instead of asking consumers plainly whether they want good, better, or best security, the packaging options are centered on “scope” (what do you want to protect) and “service” (how much work do you want to avoid).

Recommended Approach

The answer to smarter cybersecurity packaging is thankfully right under our noses. I’m sure you’ve heard of the NIST Cybersecurity Framework (CSF).  If not, this framework is quickly becoming the standard for both explaining and architecting cybersecurity capabilities, and more frequently being used by cyber insurance providers to evaluate policyholders and determine premiums.

Align your cybersecurity products and services to these five NIST CSF functions and now your customer can better understand the scope of cybersecurity and what they are choosing. Allow them to configure the protection that fits their risk tolerance.

  • Identify includes risk assessment, asset management, and vulnerability scanning to name a few.
  • Protect includes endpoint protection, access control, data security and more.
  • Detect includes logging, monitoring, threat hunting and detection.
  • Respond includes incident response planning, remediation capabilities, and forensic investigation.
  • Recover includes disaster recovery planning, data backup and restoration, and communication channels.

Don’t make it a “this or that” choice. That is too limiting when it comes to cybersecurity complexity and the variations amongst business IT estates. Instead, you could offer choices within each NIST CSF function. Within these single-purpose NIST CSF functions, it is totally practical to build out tiered choices based on size/scope of coverage or sophistication of solution.  

As a buyer, I can now begin to wrap my head around the cybersecurity functions I need from you and can choose the good-better-best levels within these areas based on risk tolerance and what’s a “best-fit” for my organization. It’s no longer an all-or-nothing situation where perhaps you’ve currently lumped all your truly recommended capabilities into the “BEST” option which the buyer perceives as overkill.

Expected Outcomes

Now that you haven’t boxed your customer in to choosing “good” cybersecurity or possibly “better” cybersecurity, but rarely the “best” cybersecurity, look forward to seeing more of those advanced cybersecurity functions going to work for your revenue numbers and your customers’ cybersecurity posture.

Flexible Offerings Require Flexible Solutions

I realize this is all well and good if your cybersecurity stack allows you to mix and match different solutions within these five NIST CSF functions. You’ll certainly need vendors and partners that allow you flex scope and service amongst things like endpoint protection, security monitoring, threat hunting, SIEM coverage, and more on a per client basis to make this practical and affordable.

Check out Netsurion’s Managed XDR and Npower Partner Program for a more flexible way to scale your cybersecurity services across your full range of customers. Talk to one of our advisors to find out which NIST CSF functions Netsurion can fulfill for you and your clients.

Make the Choice Simpler for Your Clients

Whether you use the NIST Cybersecurity Framework above or another, the important part is to help your clients make the best choice for them and to feel confident in their choice. Using a gap analysis is a great method to consult your client and help them make informed decisions. Built around a similar framework, the Predict-Prevent-Detect-Respond framework, try the free Cybersecurity Gap Analysis & Maturity Roadmap tool by Netsurion.

Author Aaron Branson is senior vice president of Marketing for Netsurion. Read more Netsurion guest blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.